PT-2023-24604 · Dataease · Dataease

Name of the Vulnerable Software and Affected Versions: DataEase versions prior to 1.18.7 Description: A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The issue has been fixed in version 1.18.7. There are no known workarounds asi...

RESTEasy: creation of insecure temp files

In RESTEasy the insecure File.createTempFile is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user...

SUSE CVE-2009-0580

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /jsecuritycheck with malformed URL encoding of passwords, related to improper error checking in the 1...

SUSE CVE-2019-16335

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540...

SUSE CVE-2020-13430

Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource...

SUSE CVE-2020-36185

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource...

CVE-2022-23498

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including grafanasession. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the...

Session fixation

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including grafanasession. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the...

UBUNTU-CVE-2022-23498

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including grafanasession. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the...

CVE-2022-23498 When query caching is enabled in Grafana users can query another users session

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including grafanasession. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the...

CVE-2022-23498

CVE-2022-23498 concerns Grafana: when datasource query caching is enabled, Grafana caches all headers, including grafana_session, which can allow a user querying a datasource with caching enabled to access another user’s session. The Nessus entry for CVE-2022-23498 describes this issue in Grafana...

CVE-2022-23498 When query caching is enabled in Grafana users can query another users session

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including grafanasession. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the...

PT-2023-1578 · Grafana +2 · Grafana +2

Name of the Vulnerable Software and Affected Versions: Grafana versions prior to 9.2.10 Grafana versions prior to 9.3.4 Description: The issue is related to the caching of datasource queries in Grafana, which includes caching of the grafana session header. This allows any user querying a datasour...

Use of Cache Containing Sensitive Information

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including grafanasession . As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the...

GHSA-H6W8-52MQ-4QXC Apache Linkis contains Deserialization of Untrusted Data

In Apache Linkis =1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameter...

PT-2022-25242 · Apache · Apache Karaf

Name of the Vulnerable Software and Affected Versions: Apache Karaf versions prior to 4.4.2 and 4.3.8 Description: This issue is about a potential code injection when an attacker has control of the target LDAP server using the JDBC JNDI URL. The function...

OESA-2022-2077 grafana security update

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB and OpenTSDB. Security Fixes: Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin prox...

PT-2022-6257 · Apache +1 · Apache Linkis +1

Name of the Vulnerable Software and Affected Versions: Apache Linkis versions 1.3.0 and earlier Description: A deserialization vulnerability exists in Apache Linkis when used with the MySQL Connector/J, allowing for possible remote code execution impact. This occurs when an attacker has write...

io.dataease:dataease-plugin-datasource (>=1.10.0 <=1.15.0), io.dataease:dataease-plugin-interface (>=1.0 <=1.15.0) +1 more potentially affected by CVE-2022-39312 via io.dataease:dataease-plugin-common (>=1.0 <=1.15.0)

io.dataease:dataease-plugin-common MAVEN version =1.0, =1.10.0, =1.0, =1.10.0, =1.15.0 Source cves: CVE-2022-39312 Source advisory: OSV:GHSA-Q4QQ-JHJV-7RH2...

Security Bulletin: Sensitive Data Disclosure Vulnerability in IBM Infosphere Guardium (CVE-2012-3312)

Abstract Security Bulletin: Sensitive Data Disclosure Vulnerability in IBM Infosphere Guardium CVE-2012-3312 Content SUMMARY: Datasource definition editor sends password in clear text. VULNERABILITY DETAILS: CVE ID: CVE-2012-3312 DESCRIPTION: The datasource definition editor, login and password f...